Aspects of the disclosure are directed to identifying and evaluating security risks of infrastructure facilities. Numerous facilities, such as corporation offices, factories, plants, etc. may contain numerous assets which need to be secured and protected. Accordingly, the facilities have various security systems intended to detect unauthorized intrusions and delay an adversaries' attempt to access the assets. With the emergence of computer systems and communications systems, modern protection is not only limited to physical protection but also extends into the cyber domain, for example, through the use of passwords, firewalls, etc. Furthermore, there is overlap between physical and cyber domains as an adversary may use vulnerabilities in one domain to render security systems in the other domain less secure. In one illustrative example, an adversary may launch an initial attack upon cyber infrastructure to reduce the protection provided by security systems in the physical domain (e.g., access a server or cyber control system to unlock a physical door).
At least some aspects of the disclosure are directed towards methods and apparatus to evaluate security systems of a facility as discussed in detail below.